Hereโs something interesting (well, as fun as passwords get), which could make life simpler in future:
The guy who wrote the rules about complex passwords says he was wrong. NISTโโโthe US โstandards setting agencyโ which made the case 15 years ago for complex passwords, frequently changed, now admits they may have been wrong and, worse, itโs been counterproductive and weakened average security.
Changing passwords โ a history:
- In the โold daysโ, network passwords were simple, less than 8 characters, and changed regularly, possibly every 30 days.
- In recent years, passwords became much longer, more complex and changed less frequently, typically 60โโโ90 days.
- In future, if your passwordโs secure enough, the NIST now suggest you may never change them, unless thereโs high risk or suspected breach.
Before we explain whatโs going on, remember weโve long said that passwords on their own are deadโโโand Multi Factor Authentication (tokens, like the ones your bank may provide) are far better security.
What should I do now?
Make no changes to your password policy based on this advice just yet.
Remember:
- Never reuse passwords
Donโt share passwords between sites. Make everything unique.
A compromise elsewhere means everywhere you used that password is now vulnerable (more below).
- Change simple or short passwords
If any of your passwords are too simple, or under 8โโโ10 characters, change them now.
Password123 or Company999, for example, must be changed for a longer phrase (preferably 12+ characters), which you can remember. - Be proportionate
The more sensitive the information youโre protecting, the more complex the password should be and the more frequently you should change it. If you used the same password elsewhere, itโs now too weak: change it.
- Use a Password Manager
(you donโt need to know or even see most your passwordsโโโthese generate and autofill unique ones automatically for each site you use) - Use MFA
Use Two Factor / Multifactor Authentication wherever you can, combined with a password (something you know), these tokens (something you have) hugely improve your security
Why this change?
Forced complexity and too frequent password changes can be counterproductive and may drive the wrong behaviour (eg writing passwords down, which is bad), so says NIST.
NIST is a prominent US government agency, which advises businesses and sets policy on Computer Security. Itโs suggested that, to simplify things, their advice about changing network passwords should be revised, but only as long as the passwords are typically more secure than they are now.
Donโt make any changes just yetโโโweโll let things settle down first. Anyway, as above, we recommend using Multi Factor Authentication for anything sensitive.